Bug 211114 - archivers/p7zip: update to 15.14.1 (Fixes security vulnerabilities)
Summary: archivers/p7zip: update to 15.14.1 (Fixes security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Some People
Assignee: Raphael Kubo da Costa
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2016-07-14 15:09 UTC by Piotr Kubaj
Modified: 2016-07-15 13:46 UTC (History)
3 users (show)

See Also:
rakuco: maintainer-feedback+
feld: merge-quarterly+

Attachments
v15.14.1 patch (809 bytes, patch)
2016-07-14 15:09 UTC, Piotr Kubaj 		rakuco: maintainer-approval-
Details | Diff
Poudriere log (475.85 KB, text/x-log)
2016-07-14 15:10 UTC, Piotr Kubaj 		no flags Details
CVE patch (3.01 KB, patch)
2016-07-14 15:41 UTC, Piotr Kubaj 		rakuco: maintainer-approval+
Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:09:46 UTC 
Created attachment 172517 [details]
v15.14.1 patch

The patch is attached. Note that 15.14.1 also fixes CVE-2016-2334 and CVE-2016-2335, so it's also a security patch.
Comment 1 Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:10:19 UTC 
Created attachment 172518 [details]
Poudriere log
Comment 2 Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-07-14 15:30:30 UTC 
Thanks for bringing these CVEs up. Unfortunately, 15.14.1 does not fix them.

From 15.14.1's changelog:

> Version 15.14.1
> ===============
> 
>   - patch #32 Compiling in OS X fails with p7zip_15.14

Indeed, `diff -uprN p7zip_15.14 p7zip_15.14.1` shows that it's the only difference between the two releases.

p7zip 16.02 was released just a few hours ago and does contain the patches from  https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/?limit=25#c6ae that several distros had adopted (Debian, OpenSUSE and Arch Linux at least).

The best course of action here is to:
* Backport only those two patches to 15.14 and MFH.
* Optionally update p7zip to 16.02 in trunk.

Let me know if you'd like to take on the first item, otherwise I'll do it later today.
Comment 3 Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:41:56 UTC 
Created attachment 172520 [details]
CVE patch

I actually have those patches ready, the patch to commit is attached.
Comment 4 Piotr Kubaj freebsd_committer freebsd_triage 2016-07-14 15:42:22 UTC 
The port with patch compiles fine.
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-07-15 11:23:37 UTC 
A commit references this bug:

Author: rakuco
Date: Fri Jul 15 11:23:23 UTC 2016
New revision: 418575
URL: https://svnweb.freebsd.org/changeset/ports/418575

Log:
  Document CVE-2016-2334 and CVE-2016-2335 in archivers/p7zip.

  PR:		211114

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-07-15 11:25:40 UTC 
A commit references this bug:

Author: rakuco
Date: Fri Jul 15 11:25:07 UTC 2016
New revision: 418576
URL: https://svnweb.freebsd.org/changeset/ports/418576

Log:
  Add patches for CVE-2016-2334 and CVE-2016-2335.

  While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly
  bumping PORTREVISION in archivers/p7zip-codec-rar.

  PR:		211114
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl>
  MFH:		2016Q3
  Security:	a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49
  Security:	d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

Changes:
  head/archivers/p7zip/Makefile
  head/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp
  head/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp
Comment 7 Raphael Kubo da Costa freebsd_committer freebsd_triage 2016-07-15 11:26:49 UTC 
Committed, thank you very much for the patch.
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-07-15 13:46:49 UTC 
A commit references this bug:

Author: feld
Date: Fri Jul 15 13:45:51 UTC 2016
New revision: 418579
URL: https://svnweb.freebsd.org/changeset/ports/418579

Log:
  MFH: r418576

  Add patches for CVE-2016-2334 and CVE-2016-2335.

  While here, use PORTREVISION?= instead of PORTREVISION= to avoid needlessly
  bumping PORTREVISION in archivers/p7zip-codec-rar.

  PR:		211114
  Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl>
  Security:	a9bcaf57-4a7b-11e6-97f7-5453ed2e2b49
  Security:	d706a3a3-4a7c-11e6-97f7-5453ed2e2b49

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/archivers/p7zip/Makefile
  branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_HfsHandler.cpp
  branches/2016Q3/archivers/p7zip/files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp